Return hashes and expiration when fetching signed tags
This commit is contained in:
parent
1a78722521
commit
217b4a5ab2
5 changed files with 42 additions and 44 deletions
|
@ -11,17 +11,6 @@ from endpoints.api import (require_repo_read, path_param,
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
def _default_signed_tags_for_repository(namespace, repository):
|
|
||||||
""" Fetches the tags in the targets/releases delegation, which is the one the docker client will trust. """
|
|
||||||
tag_data, _ = tuf_metadata_api.get_default_tags(namespace, repository)
|
|
||||||
if not tag_data:
|
|
||||||
return {'tags': None}
|
|
||||||
|
|
||||||
return {
|
|
||||||
'tags': tag_data.keys()
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
@show_if(features.SIGNING)
|
@show_if(features.SIGNING)
|
||||||
@resource('/v1/repository/<apirepopath:repository>/signatures')
|
@resource('/v1/repository/<apirepopath:repository>/signatures')
|
||||||
@path_param('repository', 'The full path of the repository. e.g. namespace/name')
|
@path_param('repository', 'The full path of the repository. e.g. namespace/name')
|
||||||
|
@ -32,6 +21,10 @@ class RepositorySignatures(RepositoryParamResource):
|
||||||
@nickname('getRepoSignatures')
|
@nickname('getRepoSignatures')
|
||||||
@disallow_for_app_repositories
|
@disallow_for_app_repositories
|
||||||
def get(self, namespace, repository):
|
def get(self, namespace, repository):
|
||||||
""" Fetches the list of signed tags for the repository"""
|
""" Fetches the list of signed tags for the repository"""
|
||||||
return _default_signed_tags_for_repository(namespace, repository)
|
tag_data, expiration = tuf_metadata_api.get_default_tags_with_expiration(namespace, repository)
|
||||||
|
return {
|
||||||
|
'tags': tag_data,
|
||||||
|
'expiration': expiration
|
||||||
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
import pytest
|
import pytest
|
||||||
|
from flask_principal import AnonymousIdentity
|
||||||
|
|
||||||
from endpoints.api import api
|
from endpoints.api import api
|
||||||
from endpoints.api.team import OrganizationTeamSyncing
|
from endpoints.api.team import OrganizationTeamSyncing
|
||||||
|
@ -10,6 +11,7 @@ from test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_f
|
||||||
|
|
||||||
TEAM_PARAMS = {'orgname': 'buynlarge', 'teamname': 'owners'}
|
TEAM_PARAMS = {'orgname': 'buynlarge', 'teamname': 'owners'}
|
||||||
BUILD_PARAMS = {'build_uuid': 'test-1234'}
|
BUILD_PARAMS = {'build_uuid': 'test-1234'}
|
||||||
|
REPO_PARAMS = {'repository': 'devtable/someapp'}
|
||||||
|
|
||||||
@pytest.mark.parametrize('resource,method,params,body,identity,expected', [
|
@pytest.mark.parametrize('resource,method,params,body,identity,expected', [
|
||||||
(OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, None, 403),
|
(OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, None, 403),
|
||||||
|
@ -37,10 +39,9 @@ BUILD_PARAMS = {'build_uuid': 'test-1234'}
|
||||||
(SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'reader', 403),
|
(SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'reader', 403),
|
||||||
(SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'devtable', 404),
|
(SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'devtable', 404),
|
||||||
|
|
||||||
(RepositorySignatures, 'GET', 401, None, None),
|
(RepositorySignatures, 'GET', REPO_PARAMS, {}, 'freshuser', 403),
|
||||||
(RepositorySignatures, 'GET', 403, 'freshuser', None),
|
(RepositorySignatures, 'GET', REPO_PARAMS, {}, 'reader', 403),
|
||||||
(RepositorySignatures, 'GET', 403, 'reader', None),
|
(RepositorySignatures, 'GET', REPO_PARAMS, {}, 'devtable', 200),
|
||||||
(RepositorySignatures, 'GET', 404, 'devtable', None),
|
|
||||||
])
|
])
|
||||||
def test_api_security(resource, method, params, body, identity, expected, client):
|
def test_api_security(resource, method, params, body, identity, expected, client):
|
||||||
with client_with_identity(identity, client) as cl:
|
with client_with_identity(identity, client) as cl:
|
||||||
|
|
|
@ -30,14 +30,14 @@ def tags_equal(expected, actual):
|
||||||
return expected == actual
|
return expected == actual
|
||||||
|
|
||||||
@pytest.mark.parametrize('targets,expected', [
|
@pytest.mark.parametrize('targets,expected', [
|
||||||
(VALID_TARGETS, {'tags':['latest', 'test_tag']}),
|
(VALID_TARGETS, {'tags': VALID_TARGETS, 'expiration': 'expires'}),
|
||||||
({'bad': 'tags'}, ({'tags': ['bad']})),
|
({'bad': 'tags'}, {'tags': {'bad': 'tags'}, 'expiration': 'expires'}),
|
||||||
({}, ({'tags': None})),
|
({}, {'tags': {}, 'expiration': 'expires'}),
|
||||||
(None, ({'tags': None})), # API returns None on exceptions
|
(None, {'tags': None, 'expiration': 'expires'}), # API returns None on exceptions
|
||||||
])
|
])
|
||||||
def test_get_signatures(targets, expected, client):
|
def test_get_signatures(targets, expected, client):
|
||||||
with patch('endpoints.api.signing.tuf_metadata_api') as mock_tuf:
|
with patch('endpoints.api.signing.tuf_metadata_api') as mock_tuf:
|
||||||
mock_tuf.get_default_tags.return_value = (targets, False)
|
mock_tuf.get_default_tags_with_expiration.return_value = (targets, 'expires')
|
||||||
with client_with_identity('devtable', client) as cl:
|
with client_with_identity('devtable', client) as cl:
|
||||||
params = {'repository': 'devtable/repo'}
|
params = {'repository': 'devtable/repo'}
|
||||||
assert tags_equal(expected, conduct_api_call(cl, RepositorySignatures, 'GET', params, None, 200).json)
|
assert tags_equal(expected, conduct_api_call(cl, RepositorySignatures, 'GET', params, None, 200).json)
|
||||||
|
|
|
@ -36,40 +36,43 @@ class TUFMetadataAPI(object):
|
||||||
self._config = config
|
self._config = config
|
||||||
self._client = client or config['HTTPCLIENT']
|
self._client = client or config['HTTPCLIENT']
|
||||||
|
|
||||||
def get_default_tags(self, namespace, repository):
|
def get_default_tags_with_expiration(self, namespace, repository, targets_file=None):
|
||||||
""" Gets the tag -> sha mappings in the 'targets/releases' delegation
|
""" Gets the tag -> sha mappings in the 'targets/releases' delegation
|
||||||
|
Returns tags, their hashes, and their
|
||||||
"""
|
"""
|
||||||
|
if not targets_file:
|
||||||
|
targets_file = 'targets/releases.json'
|
||||||
gun = "%s/%s" % (namespace, repository)
|
gun = "%s/%s" % (namespace, repository)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
response = self._get(gun, "targets/releases.json")
|
response = self._get(gun, targets_file)
|
||||||
json_response = response.json()
|
signed = self._parse_signed(response.json())
|
||||||
targets = self._parse_targets(json_response)
|
targets = signed.get('targets')
|
||||||
|
expiration = signed.get('expires')
|
||||||
except requests.exceptions.Timeout:
|
except requests.exceptions.Timeout:
|
||||||
logger.exception('Timeout when trying to get metadata for %s', gun)
|
logger.exception('Timeout when trying to get metadata for %s', gun)
|
||||||
return None, True
|
return None, None
|
||||||
except requests.exceptions.ConnectionError:
|
except requests.exceptions.ConnectionError:
|
||||||
logger.exception('Connection error when trying to get metadata for %s', gun)
|
logger.exception('Connection error when trying to get metadata for %s', gun)
|
||||||
return None, True
|
return None, None
|
||||||
except (requests.exceptions.RequestException, ValueError):
|
except (requests.exceptions.RequestException, ValueError):
|
||||||
logger.exception('Failed to get metadata for %s', gun)
|
logger.exception('Failed to get metadata for %s', gun)
|
||||||
return None, False
|
return None, None
|
||||||
except Non200ResponseException as ex:
|
except Non200ResponseException as ex:
|
||||||
return None, ex.response.status_code != 404 and ex.response.status_code != 400
|
logger.exception('Failed request for %s: %s', gun, str(ex))
|
||||||
|
return None, None
|
||||||
except InvalidMetadataException as ex:
|
except InvalidMetadataException as ex:
|
||||||
logger.exception('Failed to parse targets from metadata', str(ex))
|
logger.exception('Failed to parse targets from metadata', str(ex))
|
||||||
return None, False
|
return None, None
|
||||||
|
|
||||||
return targets, False
|
return targets, expiration
|
||||||
|
|
||||||
def _parse_targets(self, json_response):
|
def _parse_signed(self, json_response):
|
||||||
""" Attempts to parse the targets from a metadata response """
|
""" Attempts to parse the targets from a metadata response """
|
||||||
signed = json_response.get('signed')
|
signed = json_response.get('signed')
|
||||||
if not signed:
|
if not signed:
|
||||||
raise InvalidMetadataException("Could not find `signed` in metadata: %s" % json_response)
|
raise InvalidMetadataException("Could not find `signed` in metadata: %s" % json_response)
|
||||||
targets = signed.get('targets')
|
return signed
|
||||||
if not targets:
|
|
||||||
raise InvalidMetadataException("Could not find `targets` in metadata: %s" % json_response)
|
|
||||||
return targets
|
|
||||||
|
|
||||||
def _auth_header(self, gun):
|
def _auth_header(self, gun):
|
||||||
""" Generate a registry auth token for apostille"""
|
""" Generate a registry auth token for apostille"""
|
||||||
|
|
|
@ -35,8 +35,8 @@ valid_response = {
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.parametrize('response_code,response_body,expected', [
|
@pytest.mark.parametrize('response_code,response_body,expected', [
|
||||||
(200, valid_response, valid_response['signed']['targets']),
|
(200, valid_response, (valid_response['signed']['targets'], '2020-03-30T18:55:26.594764859-04:00')),
|
||||||
(200, {'garbage': 'data'}, None)
|
(200, {'garbage': 'data'}, (None, None))
|
||||||
])
|
])
|
||||||
def test_get_metadata(response_code, response_body, expected):
|
def test_get_metadata(response_code, response_body, expected):
|
||||||
app = Flask(__name__)
|
app = Flask(__name__)
|
||||||
|
@ -46,8 +46,8 @@ def test_get_metadata(response_code, response_body, expected):
|
||||||
request.json.return_value = response_body
|
request.json.return_value = response_body
|
||||||
client.request.return_value = request
|
client.request.return_value = request
|
||||||
tuf_api = api.TUFMetadataAPI(app, app.config, client=client)
|
tuf_api = api.TUFMetadataAPI(app, app.config, client=client)
|
||||||
tags, _ = tuf_api.get_default_tags('quay', 'quay')
|
response = tuf_api.get_default_tags_with_expiration('quay', 'quay')
|
||||||
assert tags == expected
|
assert response == expected
|
||||||
|
|
||||||
@pytest.mark.parametrize('connection_error,response_code,exception', [
|
@pytest.mark.parametrize('connection_error,response_code,exception', [
|
||||||
(True, 200, requests.exceptions.Timeout),
|
(True, 200, requests.exceptions.Timeout),
|
||||||
|
@ -67,5 +67,6 @@ def test_get_metadata_exception(connection_error, response_code, exception):
|
||||||
client = mock.Mock(request=request)
|
client = mock.Mock(request=request)
|
||||||
client.request.side_effect = exception
|
client.request.side_effect = exception
|
||||||
tuf_api = api.TUFMetadataAPI(app, app.config, client=client)
|
tuf_api = api.TUFMetadataAPI(app, app.config, client=client)
|
||||||
tags, _ = tuf_api.get_default_tags('quay', 'quay')
|
tags, expiration = tuf_api.get_default_tags_with_expiration('quay', 'quay')
|
||||||
assert tags == None
|
assert tags == None
|
||||||
|
assert expiration == None
|
Reference in a new issue